master’s degree thesis - univerza v ljubljani
TRANSCRIPT
UNIVERSITY OF LJUBLJANA
FACULTY OF ECONOMICS
MASTER’S DEGREE THESIS
ENTERPRISE RISK MANAGEMENT ANALYSIS WITH
SUGGESTIONS FOR IMPROVEMENTS FOR THE SELECTED
COMPANY
Ljubljana, november 2010 ALJA FERKOLJ
STATEMENT
I Alja Ferkolj hereby certify that I am the author of this Master’s thesis that was written under
the mentorship of Prof. Katja Zajc Kejžar and in compliance with the Copyright and Related
Rights Act – Para. 1, Article 21. I herewith allow this thesis to be published on the website
pages of the Faculty of Economics.
Ljubljana: _______________ Signature: __________________
i
LIST OF CONTENTS
INTRODUCTION .................................................................................................................... 1
1 RISK ..................................................................................................................................... 3
1.1 Risk definition ............................................................................................................... 3
1.2 Risk in multinational firms .......................................................................................... 4
1.2.1 Country-specific risk ............................................................................................... 5
1.2.1.1 Country economic risk ..................................................................................... 5
1.2.1.2 Country financial risk ....................................................................................... 6
1.2.1.3 Country currency risk ....................................................................................... 6
1.2.1.4 Country political risk ........................................................................................ 7
1.2.2 Firm specific risk ..................................................................................................... 8
1.2.3 Systematic risk ...................................................................................................... 10
2 ENTERPRISE RISK MANAGEMENT .......................................................................... 10
2.1 Definition of Enterprise Risk Management (ERM) ................................................ 10
2.1.1 Forces for ERM evolution ..................................................................................... 11
2.1.2 ERM framework .................................................................................................... 13
2.1.2.1 Types of enterprise's risk ................................................................................ 13
2.1.2.2 ERM process steps ......................................................................................... 15
3 ENTERPRISE RISK MEASURES AND MODELS ...................................................... 17
3.1 Risk measures ............................................................................................................. 17
3.2 Risk modelling ............................................................................................................ 18
4 ERM IMPLEMENTATION ............................................................................................. 20
4.1 The ERM implementation challenges ....................................................................... 20
4.1.1 Defining risk terminology ..................................................................................... 20
4.1.2 Selecting the ERM framework .............................................................................. 20
4.1.3 Articulating ERM benefits/impacts ....................................................................... 22
4.1.4 Integrating strategy and human resources into ERM successfully ........................ 22
4.1.5 Fixing boundaries between ERM and Sarbanes Oxley Act of 2002 ..................... 23
5 RISK MANAGEMENT IN THE SELECTED COMPANY ......................................... 23
5.1 Introduction of the company ..................................................................................... 23
5.2 Risk Management in selected company .................................................................... 25
5.2.1 Corporate Risk and Insurance department ............................................................ 25
5.2.2 Corporate Treasury department ............................................................................. 26
6 Enterprise Risk Management in the selected company ................................................. 28
6.1 ERM process steps in selected company .................................................................. 29
6.1.1 Risk identification ................................................................................................. 30
ii
6.1.2 Risk assessment in the selected company ............................................................. 31
6.1.2.1 Qualitative risk assessment in the selected company ..................................... 31
6.1.3 Risk response ......................................................................................................... 36
6.2 Quantitative risk analysis in the selected company ................................................. 38
6.2.1 Risk simulation in selected company .................................................................... 40
6.2.2 Application of the risk simulation outputs ............................................................ 42
7 ANALYSIS OF THE ERM IN THE SELECTED COMPANY ................................... 44
7.1 Suggestions for the selected company ....................................................................... 47
CONCLUSION ....................................................................................................................... 49
LITERATURE AND SOURCES .......................................................................................... 52
APPENDIX
iii
LIST OF FIGURES
Figure 1: COSO’s ERM Framework ........................................................................................ 21
Figure 2: The ERM process steps in the selected company ..................................................... 29
Figure 3: Top 10 risks heat map of the Slovene subsidiary of the selected company ............. 36
Figure 4: S Probability Curve for the Slovene subsidiary of the selected company according
to the risk review in March 2010 ............................................................................. 41
Figure 5: Risk Model Sensitivity analysis for the Slovene subsidiary of the selected company
according to the risk review in March 2010 ............................................................ 42
LIST OF TABLES
Table 1: Firm-specific uncertainties ........................................................................................... 8
Table 2: ERM Framework ........................................................................................................ 13
Table 3: The contrast between statistical analytical and structural simulations methods ........ 19
Table 4: EBIT split of the selected company in 2009 .............................................................. 24
Table 5: Risk universe of the selected company ...................................................................... 30
Table 6: Qualitative probability assessment of identified risks in the selected company ........ 32
Table 7: Impact assessment of identified risks in the selected company ................................. 32
Table 8: Qualitative risk assessment of the Slovene subsidiary of the selected company
performed in March 2010 ........................................................................................ 34
Table 9: Risk response plans for the identified risks in the Slovene subsidiary of the selected
company in March 2010 .......................................................................................... 37
Table 10: Risk model of the Slovene subsidiary of the selected company according to the risk
review in March 2010 .............................................................................................. 40
Table 11: The percentiles for cumulative impact of the identified risks for the Slovene
subsidiary of the selected company according to the risk review in March 2010 ... 42
Table 12: Comparison of percentiles for the cumulative impact of identified risks for the
Slovene subsidiary of the selected company according to the risk reviews in March
and June 2010. ......................................................................................................... 45
Table 13: Comparisons between likelihood and most likely costs of the identified risks
according to the risk assessment in March and June 2010 ...................................... 46
1
INTRODUCTION
Problem identification
The process of globalization leads to the emergence of multinational firms which are
spreading production, communication, technology and knowledge across the world. The
complexity and the size of inter relationships in multinational firms can be linked to risks that
are specific to multinational firms.
Globalization, the advance in technology, increasing financial sophistication and the
uncertainty of irrational terrorist activity contribute to the growing number and complexity of
risks. Organizations are facing an increasing number and a greater variety of risks and there is
growing recognition that risk must be managed with the total organization in mind. All
organizations are required to have a more practical approach to dealing with risk that goes
beyond the statistical and analytical to future scenarios and planning (Jolly, 2003).
Identifying and treating risk by transfer, through insurance or other financial product, has
been standard management activity. What has changed, beginning at the close of the 20th
century, is treating the vast variety of risks in a holistic manner, and elevating risk
management to a senior management responsibility (CAS, 2003).
Organizations have recognized the importance of managing all risks and their interactions.
Furthermore, publicly traded companies are well aware of the desire of their shareholders for
stable and predictable earnings, which is one of the key objectives of Enterprise Risk
Management.
Enterprise Risk Management (ERM) emphasizes a comprehensive view of risk and risk
management meaning that different risks within an organization should not be managed
separately. Rather than focusing solely on hazard or financial forms of risk, enterprise risk
management seeks to address all events that might adversely or positively impact the
performance of an organization. Vast variety of risks should be treated in a holistic manner
and the correlation of the various risks should be analysed.
Companies that understand their risks better than their competitors are in a very powerful
position to leverage risk to a competitive advantage. Greater knowledge of risks delivers the
ability to deal with risk that intimidates competitors, to project adversity better than
competitors, and to manage risk at the lowest costs (Davenport and Bradley, 2000).
In the thesis a theoretical framework is used to evaluate the ERM concepts on the ERM
process in the selected multinational company dealing with production, sale and distribution
of non-alcoholic beverages. The company operates in 28 different countries and there is a
strong need for increased governance and risk control. The selected company has in the year
2
2009 initiated a project for improvement of ERM process in the company’s subsidiaries. The
main goal of the project was to involve senior management teams in subsidiaries in risk
assessment.
I was nominated as Risk advisor for Slovene subsidiary of the selected company, responsible
for improvement of ERM process. In the thesis I will analyze ERM process and its
performance in Slovene subsidiary and compare it with competent literature and suggest
improvements.
Purpose and goals of the thesis
The purpose of this master’s thesis is to encourage managers to use an integrated approach to
risk management and elevate risk management to a senior management team. Companies
should not analyse each risk separately, but should also analyse the correlation of various risk.
I want to encourage the senior management team in the selected company to actively
participate in risk identification and assessment as I believe that understanding risk better than
competition can be a source of competitive advantage of the firm.
Furthermore, the purpose of the master’s thesis is to introduce the concept of the Enterprise
Risk Management to the wider society, interested in this topic.
Goals of the master’s thesis:
introduce the concept of Enterprise Risk Management
define current situation of the ERM process in the selected company compared to
competent literature
suggest improvements for the selected company in order to improve the existing ERM
process
Methods of the thesis
The first method used is a review of relevant literature and theoretical findings on Enterprise
Risk Management as well as the most common barriers that companies are facing when
implementing the ERM process. This is followed by a review of the ERM implementation
practise on the case of the selected company. The next method used in the thesis is an
evaluation of the current ERM performance in the Slovene subsidiary of the selected
company compared to initial targets. Based on the analysis of the theoretical findings on ERM
and on the case of the selected company I will suggest improvements for the selected
company.
3
Structure of the thesis
Following the introduction of the problem, purpose, goals and the method of the thesis, the
chapters are organized as follows. The first chapter summarizes the most common definitions
in the field of risk and the main categories of risk facing multinational firms. The second
chapter describes the Enterprise Risk Management and the main drivers for its evolution.
ERM framework is conceptualized by defining the risk types and the various process steps.
Enterprise Risk Measurements and models are introduced in the third chapter. The fourth
chapter summarizes the most common challenges in the phase of the ERM implementation.
In the fifth chapter the selected multinational company is introduced. Risk management in the
selected company is introduced in general with the emphasis on changes leading towards the
implementation of ERM process in the company’s subsidiaries. The implementation of the
ERM process and its current performance in the Slovene subsidiary of the selected company
is described in the sixth chapter. The ERM process steps common for all the subsidiaries of
the selected company will be presented with the concrete data for the Slovene subsidiary. The
last chapter will analyse the improvements of the ERM process in the Slovene subsidiary of
the selected company in year 2010 and suggest further improvements.
1 RISK
1.1 Risk definition
There are several definitions of risk as risk management is constantly developing as an
essential tool for the effective manager. Even though there is no unique definition of risk, the
common feature of many risk definitions is that risk deals with uncertainty. In the past risk
was more often associated with events which could have negative impacts, while recently the
term risk is used also for uncertainties with positive impacts.
One of the most general definitions of risk was defined by the International Organization for
Standardization in the ISO 31000 standard. According to this standard Risk is defined as the
effect of uncertainty on objectives (ISO, 2009).
In Strategic Management the term risk is used in reference to unanticipated variation or
negative variation in business outcome variables such as revenues, costs, profit, market share,
and so forth. Managers generally associate risk with negative outcomes (March and Shapira,
1987).
In finance, one measure of risk is the probability that the actual return on an investment will
diverge from its expected value. How risky an investment is depends on how much the actual
return is likely to diverge from its expected value. The most commonly used statistical
measure of how much a variable is likely to diverge from its expected value is standard
4
deviation. Standard deviation is the square root of the variance which is calculated according
to the following formula (Clark & Mairos, 1996, p. 35):
Rj is possible outcome j, E (R) denotes the expected return and Pj is the probability of
possible outcome j
Managing risk in a consistent, efficient, sustainable manner has become a critical boardroom
priority as all members of the senior leadership team face unprecedented levels of business
complexity, changing geopolitical threats, new regulations and legislation, and increasing
shareholder demands (Paisley, 2010).
1.2 Risk in multinational firms
International business offers companies new markets. Since the 1950s, the growth of
international trade and investment has been substantially larger than the growth of domestic
activities. Technology continues to increase the reach and the ease of conducting international
business, pointing to even larger growth potential in the future (Czinkota & Ronkainen &
Moffett, 2005, p. 5).
Changes that have taken in international markets are of great importance. Many markets have
recently become deregulated with reductions in barriers to trade, and this has enhanced
trading opportunities. New patterns of organization and business location have emerged,
including using foreign suppliers, foreign direct investments, joint ventures, and international
co-operation (Brooks, Weatherston & Wilkinson, 2004, p. 121).
Multinational companies operate in many different countries with different political, financial
and economic systems. The heterogeneity of the environment in which multinationals operate
has a strong influence on their risk exposure.
While multinational companies are opening subsidiaries in many different countries, they are
also transferring their main resources, such as capital and knowledge. Although multinational
companies have control of their subsidiaries, this control is not absolute. In fact, subsidiaries
have some autonomy at their disposal to manage their activities. Many important decisions
such as launching a new product, the choices about prices or technologies, and the
employment level are generally made by subsidiaries (Hilmi, 2007).
Overseas investments of multinational firms are not only a huge opportunity, but also an
enormous risk. To assess and manage this risk, multinational firms have to understand the
(1) )(1
22
n
j
jj pRER
5
volatility of the global marketplace. This puts pressure on local cultures and identities, on
established political boundaries and social constituencies and on traditional market
arrangements (Boczko, 2005).
The three main categories of risk facing multinational firms are:
Country-specific
Firm-specific
Global/systematic risk
1.2.1 Country-specific risk
Country-specific risk refers to the volatility of returns on international business transactions
caused by events associated with a particular country as opposed to events associated with a
particular economic or financial agent (Clark & Marois, 1996, p. 44).
Country risk is defined using a wide range of political, economic and socio-cultural criteria.
Broadly, it is the exposure that a company faces as a consequence of a change in a national
government's policy and the effect this change could have on the value of an investment, a
project or cash receipts. Country risk often arises when a government seeks to expropriate
assets or profits, impose discriminatory pricing intervention policies, enforce restrictive
foreign exchange currency controls or impose discriminatory tax laws. It can also occur if a
government attempts to impose social or work related regulations that favour domestic
companies, limit the movement of assets or restrict access to local resources (Boczko, 2005).
Country-specific risk is usually broken down into four main components: economic, financial,
currency and political risk. The economic, financial and currency components are market
based, while political risk is broader and refers to the probability that decisions that are
unfavourable to the firm's interests will be taken at the political level. All four components of
risk are interactive meaning that economic, currency and financial situations will have
consequences on the political climate as well as on each other.
1.2.1.1 Country economic risk
Country economic risk refers to the volatility of macroeconomic performance which is often
measured by real gross national product or real gross domestic product. To include
information on the economy's overall assets and liabilities, country's economic risk is rather
measured as the volatility of macroeconomic rate of return. Country's macroeconomic
performance plays an important role in determining the outcome of certain business
transactions. A volatile macroeconomic environment is likely to generate volatility in the
profits of resident firms and financial institutions (Clark & Marois, 1996, p. 45).
6
Nations that face a shortage of foreign currency will sometimes impose controls on the
movement of capital into and out of the country. Such controls may make it difficult for a
firm to remove its profits or investments from the host country. Sometimes exchange controls
are also levied selectively against certain products or companies in an effort to reduce the
importation of parts, components, or supplies that are vital to production operations in the
country (Czinkota et al., 2004).
1.2.1.2 Country financial risk
Country financial risk refers to the ability of the national economy to generate enough foreign
exchange to meet payments of interest and principal on foreign debt. The ability to meet
payments of interest and principal on foreign debt depends on the extent to which the
country's assets are financed with foreign loans. It depends on three parameters:
Total amount of a country's external debt
Its maturity structure
Country’s economic risk
1.2.1.3 Country currency risk
Country currency risk is defined as the volatility of exchange rates. The exchange rate has
major consequences on a country's level and composition of output and consumption, as well
as on its overall economic well-being. Apparently profitable transactions can suddenly turn
sour if the exchange rates move in the wrong direction (Clark & Marois, 1996).
Different exchange rate regimes affect business behaviour. A fixed exchange rate fixes the
value of one country’s currency against another. The two key advantages of a fixed exchange
rate system are (Brooks et al., 2004):
The stability that it provides for businesses encourages long-term contractual
arrangements between businesses.
Since the exchange rate cannot be altered to restore a country’s competitiveness, if it runs
a balance of payments deficit, it imposes a disciplined fiscal and monetary policy, which
means a tight grip on inflation.
Floating exchange rate responds to the market demand for and supply of the domestic
currency. If there are differences between the demand for and supply of the domestic
currency, the exchange rate should automatically adjust. One of the great advantages of this
type of exchange rate is that it does not require any government intervention; market forces
undertake the adjustment. The problems with floating exchange rate are:
7
Increased uncertainties for traders which may lead to a greater proportion of short-term
contracts.
Import prices rise then the balance of payments deteriorates, leading to depreciation in the
value of currency. This restores the competitiveness of exports but further raises the price
of imports, and these increased import costs can feed through into domestic inflation
levels.
Fluctuations in the exchange rate are more likely to have harmful effects on business
investment. That is, both international investment and domestic investment may be reduced,
with concomitant effects on exports, in general, and output in particular.
Any move to a fixed exchange rate reduces uncertainty and improves business expectations.
The decision, to adopt one exchange rate system in preference to another may not be taken
purely on economic grounds, but may be the result of the need for closer political ties (Brooks
et al., 2004).
1.2.1.4 Country political risk
Politics and laws of a host country affect international business operations in a variety of
ways. Politics influences the way markets operate. Often the most unpredictable economic
events are political in origin, the result of flagging political willingness or capacity to
maintain a consistent and predictable economic environment. Political risk relates to the
preferences of political leaders, parties, and factions, as well as their capacity to execute their
stated policies when confronted with internal and external challenges. Changes in the
regulatory environment, local attitudes to corporate governance, reaction to international
competition, labour laws, and withholding and other taxes may all be influenced by hard to
discern shifts in the political landscape (PriceWaterhouseCoopers, 2010).
There is political risk in every nation, but the range of risks varies widely from country to
country. In general, political risk is lowest in countries that have a history of stability and
consistency. Three major types of risks can be encountered (Czinkota et al., 2005, p.112):
Ownership risk, which exposes property and life
Operating risk, which refers to interference with the ongoing operations of a firm
Transfer risk, which is mainly encountered when attempts are made to shift funds between
countries.
Hard political risk includes expropriation, nationalization, the destruction of assets and forced
local shareholding. Expropriation is the transfer of ownership by the host government to a
domestic entity with payment of compensation. Some industries are more vulnerable than
others to expropriation because of their importance to the host country’s economy and their
8
lack of ability to shift operations. Sectors as mining, energy, public utilities, and banking have
frequently been targets of such government actions (Czinkota et al., 2005).
Many countries are turning from expropriation to more subtle forms of control, such as
domestication. Through domestication, the government demands transfer of ownership and
management responsibility. It can impose local content regulations to ensure that a large share
of product is locally produced or demand that a larger share of the profit is retained in the
country. Changes in labour laws, patent protection, and tax regulations are also used for
purposes of domestication.
Political decisions at all levels, such as those on economic policy, social policy, the control of
pollution and support for technology all have an impact on business activities. The business
environment is liable to change as the result of radical political shock, gradual shift, or a
combination of the two (Brooks et al., 2004).
1.2.2 Firm specific risk
A global firm is, besides being exposed to the mentioned four categories of country-specific
risk, exposed to risks which are specific to its business. The primary categories of firm-
specific uncertainties are operating, liability, research and development, credit, and
behavioural uncertainties. Table 1 presents an overview of firm-specific uncertainties.
Table 1: Firm-specific uncertainties
Operating uncertainties
Labour uncertainties:
- Labour unrest
- Employee safety
Input supply uncertainties:
- Raw materials shortages
- Quality changes
- Spare parts restrictions
Production uncertainties:
Machine failure
Other random production factors
Liability uncertainties Product liability
Emission of pollutants
R & D uncertainty Uncertain results from research and
development activities
Credit uncertainty Problems with collectibles
Behavioural uncertainty Managerial or employee self-interested behaviour
Source: Miller, D. Kent, A Framework for Integrated Risk Management in International Business, 1992, p. 319.
9
Operational risk includes three subcategories of uncertainties: labour uncertainty, firm-
specific input supply uncertainty, and production uncertainty. Uncertainty regarding
specialized labour or other inputs is often firm-specific rather than having an effect on the
industry in general. Labour uncertainties include changes in employee productivity due, for
example, to labour unrest or strikes. Providing employees with a safe atmosphere in which to
work reduces the personal risk to workers as well as the threat of injury-related lawsuits
directed at the firm.
Raw materials shortages, quality changes in inputs, and spare parts restrictions are all
examples of firm-operating uncertainties in the input supply category. Input supply
uncertainties are likely to be the greatest when a single supplier or organized group provides
critical inputs to the firm.
Production uncertainty is the third type of operating uncertainty. Production uncertainty
includes variations in output due to machine failure. Also included in production uncertainty
are other random factors, such as accidents, that disturb the production process.
Liability uncertainties are associated with unanticipated harmful effects due to the production
or consumption of a company's product. Product liability uncertainty relates to unanticipated
negative effects associated with the use of a product that can result in legal actions against the
producer. Firms may also be held legally responsible for certain external effects such as
emissions of contaminants into the environment. In addition to technological uncertainty at
the industry level which was discussed earlier, individual firms investing in research and
development encounter uncertainty about the relations between their R&D investments and
new product or process outputs. The R&D uncertainty is the lack of perfect foresight as to the
connections among a firm's own R&D expenditures.
Credit uncertainty involves problems with collectibles. Defaults by clients on their debts to a
firm can be a direct cause of variation in the firm's income stream. The high levels of
uncollectible loans accumulated by private banks lending to developing countries are an
obvious case of adverse performance resulting from credit uncertainty. Problems associated
with the management of collectibles are not, however, limited to the financial sector. The
final category of firm-specific uncertainties is associated with the agency relationships within
a firm. Jensen and Meckling (1976) define an agency relationship as "a contract under which
one or more persons (the principal) engage another person (the agent) to perform some
service on their behalf which involves delegating some decision-making authority to the
agent" (p. 308). One such relationship is that between a firm's owners and the managers they
employ. Jensen and Meckling (1976) show that managers often face incentives to increase
their personal welfare at the expense of the firm's owners. This tendency toward personally
beneficial behaviour decreasing the overall value of the firm, is not limited to top
management. Rather, opportunistic behaviour by agents can occur at any level of the
organizational hierarchy.
10
1.2.3 Systematic risk
Systematic risk is the total risk that a multinational company is facing when conducting
business in different markets. In the international finance literature, the major factor that is
associated with the reduction in systematic risk for the MNC is the idea that the MNC’s
operations are in multiple countries, which increases the diversity of its cash flows (Shapiro,
1978). As an MNC is more diversified relative to a similar domestic firm, the returns of the
firm will be less correlated with the market and its systematic risk may increase.
However, the additional risk such as foreign exchange risk and political risk that the
international firm may face, could actually increase the firm’s level of systematic risk. It is
posited that the additional risk that the international firm may face could actually increase the
firm’s level of systematic risk if the increase in additional risk is higher than the decrease in
coefficient of correlation between returns from different markets.
2 ENTERPRISE RISK MANAGEMENT
2.1 Definition of Enterprise Risk Management (ERM)
According to the definition from the Casualty Actuarial Society, 2003, Enterprise Risk
Management is the discipline, by which an organization in any industry assesses, controls,
exploits, finances, and monitors risk from all sources for the purpose of increasing the
organization's short and long-term value to its stakeholders.
The underlying premise of Enterprise Risk Management is that every entity exists to provide
value for its stakeholders. All entities face uncertainty and the challenge for the management
is to determine how much uncertainty to accept as it strives to increase the stakeholder value.
Uncertainty presents both risk and opportunity, with the potential to erode or enhance value.
Enterprise Risk Management enables management to effectively deal with uncertainty and
associated risk and opportunity, enhancing the capacity to build value. Value is maximized
when management sets the strategy and objectives to strike an optimal balance between
growth and return goals and related risks, and efficiently and effectively deploys resources in
pursuit of the entity’s objectives (Committee of Sponsoring Organizations of the Treadway
Commission, 2004).
Enterprise Risk Management encompasses:
Aligning risk appetite and strategy: the management considers the entity’s risk appetite in
evaluating strategic alternatives, setting related objectives, and developing mechanisms to
manage related risks.
11
Enhancing risk-response decisions: ERM provides the rigor to identify and select among
alternative risk responses – risk avoidance, reduction, sharing, and acceptance.
Reducing operational surprises and losses: entities gain enhanced capability to identify
potential events and establish responses, reducing surprises and associated costs or losses.
Identifying and managing multiple and cross-enterprise risks: every enterprise faces a
myriad of risks affecting different parts of the organization, and Enterprise Risk
Management facilitates effective response to the interrelated impacts, and integrated
responses to multiple risks.
Seizing opportunities: by considering a full range of potential events, management is
positioned to identify and proactively realize opportunities.
Improving deployment of capital: obtaining robust risk information allows management to
effectively assess overall capital needs and enhance capital allocation.
Enterprise Risk Management emphasizes a comprehensive view of risk and risk management,
meaning that different risks within an organization should not be managed separately. Rather
than focusing solely on hazard or financial forms of risk, Enterprise Risk Management seeks
to address all events that might adversely or positively impact the performance of an
organization. Vast variety of risks should be treated in a holistic manner and the correlation of
various risks should be analysed.
Companies that understand their risks better than their competitors are in a very powerful
position to leverage risk to a competitive advantage. Greater knowledge of risks delivers the
ability to deal with risk that intimidates competitors, to project adversity better than
competitors, and to manage risk at the lowest costs. (Davenport & Bradley, 2000).
Enterprise Risk Management should be a pattern of an enterprise's behaviour with the full
support of the enterprise's management and should influence corporate decision making. The
intention of Enterprise Risk Management is to be value creating as well as risk mitigating. It
should improve decision making at all levels of the organization (CAS, 2003).
2.1.1 Forces for ERM evolution
Identifying and prioritizing risk, either with foresight or following a disaster, has long been a
standard management activity. Treating risk by transfer, through insurance or other financial
products, has also been a common practise.
What has changed, is treating the vast variety of risks in a holistic manner, and elevating risk
management to a senior management responsibility.
Main driving forces toward ERM are:
The increasing number and the interaction of risks facing organizations
12
External pressures
Portfolio point of view
Quantification of risks
Boundary less benchmarking
Risk as opportunity
The increasing number and the interaction of risks facing organizations
New risks emerge with the changing business environment. The advances in technology,
globalization, increasing financial sophistication and the uncertainty of irrational terrorist
activity contribute to the growing number and complexity of risks. Organizations have
recognized the importance of managing all risks and their interactions. Even seemingly
insignificant risks on their own have the potential, as they interact with other events and
conditions, to cause great damage.
External pressures
There is an increasing desire of publicly traded companies' shareholders for stable and
predictable earnings. Motivated by the well-publicized catastrophic failures of corporate risk
management, rating agencies, stock exchanges and institutional investors insist that company
senior management take greater responsibility for managing risks on an enterprise-wide scale.
Portfolio point of view
To understand its portfolio risk, an organization must understand the risks of the individual
elements plus their interactions. Portfolio risk is not the simple sum of the individual risk
elements. For example, certain risks can represent »natural hedges« against each other if they
are sufficiently negatively correlated.
Quantification of risks
Advances in technology and expertise have made risk quantification easier, even for the
infrequent, unpredictable risks that have been historically difficult to quantify.
Similar to the continuing effort to quantify individual risks better is a growing effort to
quantify portfolio risk. This can be extremely complex and challenging, because in addition to
individual risks, interactions between individual risk elements should be explained.
Risk quantification gives organizations the ability to estimate the magnitude of risk or degree
of dependency with other risks sufficiently as to make informed decisions. Further, the act of
simply going through the quantification process gives people a better qualitative perspective
of the risk.
13
Boundary less benchmarking
Common ERM practices and tools are shared across a wide variety of organizations and
across the globe. The ERM process, tools, and procedures are common to many
organizations. Organizations have become quite willing to share practises and efficiency gains
with others with whom they are not direct competitors (Casualty Actuarial Society, 2003).
Risk as opportunity
In the past, organizations tended to take a defensive posture towards risks, viewing them as
situations to be minimized or avoided. Increasingly, organizations have come to recognize the
opportunistic side, the value-creating potential of risk. There is the opportunity to swap, keep,
and actively pursue certain risks because of the confidence in the organization's special ability
to exploit those risks. In essence, there is realization that risk is not completely avoidable and
that informed risk taking is a means of competitive advantage.
2.1.2 ERM framework
ERM can be conceptualized by defining the types of risk included and the various risk-
management process steps as shown in the figure below:
Table 2: ERM Framework
ERM Framework
Types of Risk
Process steps Hazard Financial Operational Strategic
Establish Context
Identify Risks
Analyze/Quantify Risks
Integrate Risks
Assess/Prioritize Risks
Treat/Exploit Risks
Monitor and Review
Source: Casualty Actuarial Society, 2003, p. 9.
2.1.2.1 Types of enterprise's risk
Enterprise’s risk should be categorized in a way that all sources of enterprise’s risk are
included. In the literature, there are more categorizations of enterprise’s risks. General
categorization of risk, which is also the basis for risk categorization in the selected company,
includes the following risk types:
14
Hazard risk
Financial risk
Operational risk
Strategic risk
The precise slotting of individual risk factors under each of these four categories is less
important than the recognition that ERM covers all categories and all material risk factors that
can influence the organization's value.
Hazard risks include risk from:
Fire and other property damage
Windstorm and other natural perils
Theft and other crime, personal injury
Business interruption
Disease and disability (including work related injuries and diseases)
Liability claims
Financial risks include risks from:
Price changes (influencing asset value, interest rate, foreign exchange, commodity prices)
Liquidity (cash flow)
Credit (default)
Inflation/purchasing power
Operational risk includes risks from:
Business operations (human resources, product development, product/service failure,
supply chain management, business cyclicality)
Empowerment (leadership, change readiness)
Information technology (availability, relevance)
Business reporting (budgeting and planning, accounting information, taxation)
Strategic risk includes risks from:
Reputation damage
Competition
Customer wants
Demographic and social/cultural trends
Capital availability
Regulatory and political trends
15
2.1.2.2 ERM process steps
Based on the Australian/New Zealand Standard in Risk Management (AS/NZS), the risk
management process consists of the following seven steps:
1.Establish Context
2.Identify Risk
3.Analyze/Quantify Risks
4.Integrate Risks
5.Assess/Prioritize Risks
6.Treat/ Exploit Risks
7.Monitor and Review
Establish Context
This step includes External, Internal and Risk Management Contexts. The External Context
defines the relationship of an enterprise with its environment, including the enterprise's
strengths, weaknesses, opportunities and threats (SWOT analysis). It also identifies the
various stakeholders (shareholders, employees, customers, community), as well as
communication policies with these stakeholders.
The Internal Context starts with an understanding of the overall objectives of an enterprise, its
strategies to achieve those objectives and its key performance indicators.
The Risk Management Context identifies which risk categories are relevant for a certain
enterprise and the degree of coordination throughout the organization, including the adoption
of common risk metrics.
Identify risk
This step involves documenting the conditions and events that represent material threats to an
enterprise's achievement of its objectives or represent areas to be exploited for a competitive
advantage.
Since ERM expresses risk in terms of its impact on corporate performance measures, the
evaluation of corporate performance measures has a specific application in the identification
of risks. Most common measures for the evaluation of corporate performance are:
Return On Equity (ROE) – net income divided by net worth
Operating earnings – net income from continuing operations, excluding realized
investment gains
Earnings Before Interests, Taxes, Depreciation and Amortization (EBITDA)
16
Cash flow return on investments – EBITDA divided by tangible assets
Weighted Average Cost of Capital (WACC)
Economic Value Added (EVA)
Techniques for identifying the various events that create risk include:
Review of prior internal audit reports
Brainstorming
Risk questionnaires
Review of financial statements, Exchange Commission reports, and management letter
comments
Business studies
Industry benchmarking
Scenario analysis
Risk assessment workshops
Incident investigation
Auditing and inspections
Hazard and operability studies
Analyze/Quantify risks
This step involves calibrating and, wherever possible, creating probability distributions of
outcomes for each material risk. This step provides necessary input for subsequent steps, such
as integrating and prioritizing risks. Analysis techniques range along a spectrum from
qualitative to quantitative, with sensitivity analysis, scenario analysis and simulation analysis.
Integrate risks
The risk integration that takes place in ERM allows management to assess interdependencies
between its various risk exposures and take this information into account when developing
risk mitigation strategies.
This step involves aggregating all risk distributions, reflecting correlations and portfolio
effects, and expressing the results in terms of the impact on an enterprise's key performance
indicators.
Assess/Prioritize risks
This step involves determining the contribution of each risk to the aggregate risk profile, and
prioritizing accordingly. Risk mapping is frequently used for risk prioritization. It involves the
visual representation of identified risks in a way that easily allows ranking them. This
17
representation takes the form of a two-dimensional grid with frequency (or likelihood of
occurrence) on one axis, and severity (or degree of financial impact) on the other axis. The
risks that fall in the high-frequency/high-severity quadrant are typically given the highest
priority risk management attention.
Treat/Exploit risks
In this step the appropriate response to identified risks should be defined. An enterprise's
management should perform a cost-benefit analysis so that an appropriate treatment can be
selected for each risk.
The risk treatment options are:
Accept the risk (take no further action and accept the implications of certain risk)
Avoid the risk (eliminate the activity which is causing certain risk)
Transfer the risk (this option can involve the use of derivatives, hedging or insurance on
financial risk, as well as the use of third parties to perform manufacturing or other back-
office work on operational risk).
A cost-benefit analysis should be performed so that an appropriate treatment can be selected
for each risk. Experts such as actuaries may sometimes be needed.
Monitor and review
This step involves continual gauging of the risk environment and the performance of the risk
management strategies. Effective monitoring needs to ensure that the agreed-upon risk
response is actually implemented and working.
It is important to clarify monitoring responsibilities among internal auditing, individual
business managers, and the board. Software based on key performance metrics may be used to
design an effective continuous monitoring process.
3 ENTERPRISE RISK MEASURES AND MODELS
3.1 Risk measures
ERM should represent the entire portfolio of risks that constitute an enterprise. Many
companies represent their portfolio of risks in terms of cumulative probability distribution
(e.g. of cumulative earnings) and use it as a base from which they determine the incremental
impact (e.g. on required capital) of alternative strategies or decisions (CAS, 2003).
Risk measures relevant for determination of the volatility around expected results are:
18
Variance: the average squared difference between random value and its mean.
Standard deviation: the square root of variance.
Semi variance and downside standard deviation: modifications of variance and standard
deviation in which only unfavourable deviations from a specified target level are
considered in the calculation.
Below target risk: the expected value of unfavourable deviations of a random variable
from a specified target level.
Risk measure which concentrates on the adverse tail of the probability distribution is Value at
Risk (VaR). It considers only negative deviations from expected results. It calculates the
maximum loss expected (or worst case scenario) on an investment, over a given time period
and given a specified degree of confidence. VaR has three standard elements: a relatively high
level of confidence (typically either 95% or 99%), a time period (a day, a month or a year)
and an estimate of an investment loss (expressed either in dollar or percentage terms). There
are three methods of calculating VaR: the historical method, the variance-covariance method
and the Monte Carlo simulation. The historical method simply re-organizes actual historical
returns, putting them in order from worst to best. It then assumes that history will repeat itself,
from a risk perspective. The Variance-Covariance method assumes that stock returns are
normally distributed. It requires that we estimate only two factors - an expected (or average)
return and a standard deviation - which allow us to plot a normal distribution curve. Monte
Carlo Simulation runs multiple hypothetical trials through the model. It refers to any method
that randomly generates trials (Harper, 2010).
3.2 Risk modelling
Risk modeling refers to the models and methods used to evaluate risk and performance
measures. Most organizations usually possess a simple financial model of their operations that
describes how various inputs (i.e. risk factors, conditions, strategies and tactics) will influence
the key performance indicators, which are used to manage the organization (Decisioncraft,
2005).
The major models used in the ERM process are:
Structural financial models
Stochastic (probabilistic) risk models
Structural financial models explicitly capture the structure of the cause/effect relationship,
linking inputs to outcomes. These structural models are deterministic models because they
describe the expected outcomes from a given set of inputs without regard to the probabilities
of the outcomes above or below the expected values.
19
Stochastic or probabilistic risk models include probabilities of the outcomes above or below
the expected values. The two general classes of stochastic risk models are statistical analytical
risk models and structural simulation models.
Analytical risk models require a restrictive set of assumptions and mathematically tractable
probability distributions. Their principal advantage over simulation models is in the ease and
speed of calculation.
Simulation models (often called Monte Carlo) require a large number of computer-generated
trials to approximate an answer. These models are relatively robust and flexible, can
accommodate complex relationships and depend less on simplifying assumptions and
standardized probability distributions. Their principal advantage over analytical models is the
ability to model virtually any real-world situation to a desired degree of precision.
Statistical and structural methods differ because of the relationship among random variables
represented in the model. Models using statistical methods are based on observed statistical
qualities of random variables without regard to cause/effect relationship. Statistical methods
enable easier model parameterization from the available (often public) data. Models using
structural methods are based on an explicit cause/effect relationship. These cause/effect
linkages are typically derived from both data and expert opinion. The principal advantage
over statistical methods is the ability to examine the causes driving certain outcomes, and the
ability to directly model the effect of different decisions on the outcome.
Since the choice of modelling approach is typically between statistical analytical models and
structural simulation models, the contrast between these modelling approaches is summarized
in the table below.
Table 3: The contrast between statistical analytical and structural simulations methods
Representation of
Relationship among
random variables in the
model
Calculation Technique Relative Advantage
Statistical
(based on observed
statistical qualities)
Analytic
(closed form - formula
solutions)
Speed, ease of replication,
use of publicly available data
Structural
(based on specified
cause/effect linkages)
Simulations
(solutions derived
from repeated draws from the
distribution)
Flexibility, treatment of
flexible relationships,
ability to examine scenario
drivers
Source: Casualty Actuarial Society, 2003, p. 20.
20
4 ERM IMPLEMENTATION
There is a significant need for ERM if organizations are to improve governance, risk/return,
and revenue growth, as well as realize the myriad of other benefits. Many rating agencies
have reinforced the importance of ERM by assessing non-financial firms on their ERM
implementation (Schanfield & Helming, 2008).
Internal auditors should play an active role in the ERM implementation process because an
organization's failure to achieve solid ratings could result in increased financing costs.
Therefore, internal auditing should consider providing training in risk and control to board
members. As part of special projects in their internal audit plan, auditors can also perform an
independent review in which they should evaluate how their organization could meet the main
ERM implementation challenges.
4.1 The ERM implementation challenges
4.1.1 Defining risk terminology
A risk glossary should be developed at the start of the ERM implementation process to ensure
that risk definitions are properly understood by everyone in an organization. It is important to
define what risk means for the entire organization at the outset of the ERM implementation,
as there are several different interpretations. A consistent use of key concepts will save time
and effort. At the very least, an organization needs to agree on definitions for terms such as
risk, risk assessment, risk management, ERM, significance, likelihood, inherent risk, and
residual risk.
4.1.2 Selecting the ERM framework
Many ERM frameworks developed and used around the world include:
Association of Insurance and Risk Managers (AIRMIC)
The National Forum for Risk Management in the Public Sector (ALARM in UK)
Australia/New Zealand Risk standard (AS/NZ 4360:2004)
British Standard 31100
Federation of European Risk Management Associations (FERMA)
Internal Control (Hong Kong)
Institute of Risk Management (IRM)
International Organization for Standardization (ISO 31000)
The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO)
21
The most commonly used risk framework in many organizations was released in 2004 by the
Committee of Sponsoring Organizations of the Treadway Commission (COSO). This
framework defines the essential components, suggests a common language, and provides
clear direction and guidance for enterprise risk management. It views an entity’s objectives in
the context of four categories: strategic, operations, reporting and compliance and considers
activities at all levels of the organization: the entity level, division level, business unit and
subsidiary level.
A direct relationship between objectives, which an entity strives to achieve, and enterprise
risk management components, which represent what is needed to achieve them, is depicted in
a three-dimensional matrix in the form of a cube. The four objectives or categories – strategic,
operations, reporting, and compliance, are represented by the vertical columns, the eight
components by horizontal rows, and an entity’s units by the third dimension. This depiction
portrays the ability to focus on the entirety of an entity’s enterprise risk management, or by
objectives category, component, entity unit, or any subset thereof (COSO, 2004).
Figure 2 represents a three-dimensional matrix showing the relationship between ERM
objectives, components and entity’s units.
Figure 1: COSO’s ERM Framework
Stra
tegic
Ope
ratio
ns
Rep
ortin
g
Com
plia
nce
Internal Environment
Risk Response
Control Activities
Information and Communication
Monitoring
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Su
bsid
iary
Bu
sin
ess U
nit
Div
isio
n
En
tity L
eve
l
Source: Committee of Sponsoring Organizations of the Treadway Commission (2004). Enterprise Risk
Management – Integrated Framework. Executive Summary, p. 11.
COSO’s framework is particularly convenient for multinational companies since it links
together business unit and entity level and portfolio view of risks is developed from two
perspectives: business unit level and entity level (COSO, 2004).
22
It is important for an organization implementing ERM to understand at least some of the vast
body of knowledge related to ERM so that management can make intelligent decisions about
how best to implement it. Such decisions include selecting an appropriate risk framework and
adapting it to the organization. Some of the different frameworks have advantages, such as
workbook materials and display slides that may help the implementation process. By learning
more details about the various ERM frameworks, internal auditors can help management
evaluate which are best suited to the organization's needs.
4.1.3 Articulating ERM benefits/impacts
It is important to identify the benefits/impacts that the organization expects to achieve from
implementing ERM. The key benefits/impacts of ERM include:
Improved decision-making, especially in setting corporate strategy
Reduced risk exposure in key areas
Improved corporate governance
Improved compliance
Greater efficiency of operations and profitability
More effective business processes
Enhanced capital allocation
Increased stock price
The ERM project team, as directed by executive management, should articulate the
anticipated benefits/impacts throughout the organization and create a measurement process to
determine to what extent these objectives will be achieved. For example, the organization
may meet the milestone improved corporate governance through delivery of risk assurance if
its audit committee has improved by including at least one external member and if members
have received formal training in risk and control (Schanfield & Helming, 2008).
4.1.4 Integrating strategy and human resources into ERM successfully
It is important to integrate both strategy and human resources into the ERM process. From the
human resource perspective, specific goal-setting tied to the success of ERM must be part of
an individual's performance management plan; without this, the implementation exercise may
fail. Likewise, the business strategy should be defined at the outset of the exercise along with
the organization's mission and vision. The ERM process will flow forward from this strategy,
and events will be identified that may impact achievement of the organization's strategies and
objectives (Schanfield & Helming, 2008).
For successful ERM implementation it is paramount that the board drive the implementation
exercise. Everyone in the organization must be responsible for managing some aspect of risk.
All individuals must be trained in basic risk management skills, a risk framework must be
23
adapted to the organization's needs, and risk tolerances must be set by the board. Internal
auditors can help the implementation effort by learning all they can about ERM as well as by
networking with risk professionals. They also need to challenge the external auditors to get
appropriate support for this initiative. Finally, auditors must do more to educate their board
about ERM to ensure the right outcomes (Schanfield & Helming, 2008).
4.1.5 Fixing boundaries between ERM and Sarbanes Oxley Act of 2002
The Sarbanes-Oxley Act was signed into law on 30th July 2002, and introduced highly
significant legislative changes to financial practice and corporate governance regulation. It
introduced stringent new rules with the objective to protect investors by improving the
accuracy and reliability of corporate disclosures made pursuant to the securities laws
(Sarbanes Oxley, 2002).
Companies that have completed their U.S. Sarbanes-Oxley Act of 2002 implementations in
the last few years might find their compliance efforts towards Sarbanes-Oxley Act sufficient
also for the ERM implementation. However, because Sarbanes-Oxley is a rules-based
initiative following a bottom-up approach, it is not easily leveraged for ERM.
Sarbanes-Oxley focuses on controls over transactions, whereas ERM is a top-down, holistic,
principles-based approach focusing on risks associated with events. Sarbanes-Oxley also does
not specifically address operational, strategic, and compliance risks not related to financial
reporting. Organizations that choose to combine their ERM and Sarbanes-Oxley efforts
should start with a clean sheet of paper and identify all those events that create risk, including
those that create financial risk. The assessment of those events from the top down may then
facilitate the Sarbanes-Oxley effort that was generated from the bottom up.
5 RISK MANAGEMENT IN THE SELECTED COMPANY
5.1 Introduction of the company
The selected company is licensed to produce, sell and distribute a range of non-alcoholic
beverages. It was formed in the year 2000 as a result of the merger of the Athens-based
Hellenic Bottling Company and the London-based Coca-Cola Beverages. Company’s two
major shareholders are the Kar-Tess Holding S.A., a private holding company, and The Coca-
Cola Company. For most of the beverages the owner of the trademarks is The Coca Cola
Company, which supplies the concentrates and is largely responsible for consumer marketing.
The company is headquartered in Athens and is conducting operations across 28 countries,
which can be divided into:
24
Established markets (Austria, Cyprus, Greece, Italy, Northern Ireland, Republic of
Ireland, Switzerland)
Developing markets (Croatia, Czech Republic, Estonia, Hungary, Latvia, Lithuania,
Poland, Slovakia, Slovenia)
Emerging markets (Armenia, Belarus, Bosnia and Herzegovina, Bulgaria, FYROM,
Moldova, Montenegro, Nigeria, Romania, Russia, Serbia, and Ukraine)
In 2009 the company’s Earnings Before Interest and Tax (EBIT) were 651 million Euros.
EBIT split between three markets segments is shown in the table 4.
Table 4: EBIT split of the selected company in 2009
EBIT share EBIT (million €)
Established markets 50% 326
Developing markets 15% 98
Emerging markets 35% 228
Source: Internal sources of the selected company, 2009.
The company had over 44.000 employees in 2009 and its net revenues amounted to 6.544
million Euros.
The executive management group of the company is the Operating Committee. It sets strategy
and direction and it ensures effective coordination and decision making across the
organization. The roles of the committee include:
Developing Group Strategy
Approving annual targets for countries and corporate functions
Challenging and approving strategic business plans
Reviewing operating performance of countries and agreeing on corrective action
Reviewing operating performance of corporate functions and agreeing on corrective
action
Spreading best practices from peer companies and other industries
The corporate office in Athens is designed to group together the key staff and processes.
Corporate functions manage projects, processes, and shared services. Each function has a
country-level and a group-level structure. This structure brings functional operations as close
as possible to the customer, while allowing the company to obtain substantial scale benefits in
procurement savings, knowledge sharing, investment planning and best practices from its
operations in the 28 countries.
25
5.2 Risk Management in selected company
The corporate finance office is responsible for overall risk management which includes
safeguarding the assets of the company to minimize the risk of financial loss and developing
risk management capabilities to enhance decision making.
The Risk and Insurance department and the Treasury department within the corporate finance
office are mainly dealing with risk.
5.2.1 Corporate Risk and Insurance department
Corporate Risk and insurance department is covering three main areas:
Group insurance and risk financing
Property loss prevention
Integrated risk management
Group insurance and risk financing
Group insurance and risk financing objectives are:
a) To ensure that the Group is properly protected against insurable risk either by purchase of
insurance or by appropriate self-funding arrangements.
b) To arrange cost-effective Group global insurance policies where possible.
c) To assist local operations in arranging cost-effective local protection where global
insurance is not available or appropriate.
d) To establish, maintain and develop efficient and effective insurance relationships with a
core group of international and local insurers.
The following Group insurance policies are arranged centrally:
Property damage
Product recall
Terrorism
Directors and officers liability
Personal accident and travel
Special contingency (kidnap, extortion)
Crime (theft)
The terms and conditions of these policies have been agreed centrally, with the level of
deductible for each contract arranged at the most cost-effective level for the Group. Local
26
insurance to cover the various deductibles should not be purchased without reference to the
Corporate Risk and insurance management.
Property Loss Prevention (PLP)
Property loss prevention covers:
The development of loss prevention culture within the company and ensure that loss
prevention is an integral part of key business decisions.
Ensuring that the company assets are protected as far as reasonably possible by setting
PLP guidelines.
Reviewing the exposures at each of the main manufacturing sites with reference to PLP
guidelines and other best practice standards.
Assisting operations in minimising arising risks by identifying hazards and making
recommendations for risk improvement where appropriate.
Monitoring risk improvement and risk quality.
Providing guidance and training in PLP to all operations.
Integrated Risk Management
The selected company recognized the need to implement the ERM process meaning that all
subsidiaries should regularly identify, assess, control and monitor all risks arising from their
business activities. The implementation started in the year 2005 but the frequency of risk
assessment was insufficient and it considered mainly financial sources of risk.
In 2009 Corporate Risk and Insurance department initiated a project to improve involvement
of local subsidiaries in risk assessment. Every subsidiary had to nominate a Risk advisor who
was responsible for the ERM implementation in his/her subsidiary.
I was nominated as the Risk advisor for the Slovene subsidiary and in the sixth chapter of this
master’s thesis I will focus on ERM implementation and process steps in the Slovene
subsidiary of the selected company.
5.2.2 Corporate Treasury department
The Board of Directors has the ultimate responsibility to ensure that the company has
adequate systems of financial control. The Board of Directors has adopted a Chart of
Authority for the Group, defining financial and other authorisation limits and setting
procedures for approving capital and investment expenditure.
The Board of Directors also approves three-year strategic and financial plans and detailed
annual budgets. It subsequently reviews monthly performance against targets set forth in such
27
plans and budgets. The key focus of the financial management strategy is the protection of the
earnings stream and the management of cash flow.
Financial risks faced by the company arise from adverse fluctuations in interest rates, foreign
exchange rates and commodity prices.
The treasury function managed from the corporate Finance office in Athens is responsible for
managing the financial risk of the company and its subsidiaries in a controlled manner,
consistent with the Board of Directors’ approved policies. The treasury policy and the Chart
of Authority together provide the control framework for all treasury and treasury related
transactions.
The treasury policies include:
Hedging transactional exposures (particularly raw material purchases) to reduce risk and
limit volatility. Derivates are used if they qualify as hedging activities, meaning that they
reduce risk or convert one type of risk to another.
An investment policy to minimise counterparty risks and ensure an acceptable return is
being made on excess cash positions. Counterparty limits are approved by the Board of
Directors to ensure that risks are controlled effectively and transactions are undertaken
with approved counterparties.
Interest rate risk management
Interest rate costs are managed primarily with interest rates swaps and options. Some of the
companies’ fixed rate bonds have been swapped from fixed rate obligations into six-month
floating obligations and all non-euro issues underwent a full currency swapp into euro.
Foreign exchange rate risk management
The company’s foreign exchange exposure arises from adverse changes in exchange rates
between the euro, the US dollar and the currencies in the non-euro countries. This exposure
affects the company’s result in the following way:
Raw material purchased in a currency such as the US dollar can lead to higher cost of
sales which, if not recovered in local price or cost reductions, will lead to reduced profit
margins.
Devaluations of weaker currencies that are accompanied by high inflation and declining
purchasing power can adversely affect sales and unit case volume.
Operations which have functional currencies other than euro, any change in the functional
currency against euro impacts the company’s income statement and balance sheets when
results are translated to euro.
28
The company’s Treasury policy requires hedging of 12-month forecasted transactional
exposures within defined coverage levels (minimum 25% and maximum 80%). Hedging
beyond a 12-month period may occur provided the forecasted transactions are highly
probable.
Fluctuations in market prices for raw materials are hedged by using various risk management
products such as Commodity Futures, Option contracts and Supplier Agreements. The hedge
horizon for such instruments can be up to a maximum of three years.
Currency forward and option contracts are used to hedge forecasted transaction exposures.
Transaction exposures arising from adverse movements in assets and liabilities denominated
in another currency than the reporting currency are hedged only for items like inter company
loans and intra group dividends using mainly forward contracts.
6 ENTERPRISE RISK MANAGEMENT IN THE SELECTED
COMPANY
Implementation of the ERM process was initiated by the corporate Risk department and
started in the year 2005. The primary aim of this framework was to minimise the company’s
exposure to unforeseen events and to provide certainty to the management of identified risks
in order to create a stable environment within which the company can deliver its operational
and strategic objectives.
There were two principal ERM objectives:
The compilation and maintenance of an up-to-date risk portfolio detailing the risks to the
achievement of the Group’s operational and strategic objectives; and
Consistent and replicable risk identification, management and escalation of identified risks
across the Group.
These objectives should be achieved by:
1. Regular monthly risk reviews with the country senior management teams to chart and
verify the progress of the management of the identified risk exposure.
2. Escalation of significant operational risks together with progress on agreed management
actions to the regional directors on a quarterly basis.
3. Twice yearly communication of cumulative regional risk exposure to the Operating
Committee and Audit Committee.
In 2005 local management teams in subsidiaries started with annual risk assessments and
delivered risk assessment outputs with yearly business plans. However, frequency of risk
assessment was insufficient and it considered mainly financial sources of risks.
29
In order to improve the enterprise risk management process, in 2009 all the subsidiaries were
requested to nominate risk advisor responsible for the replicable risk management process.
As the Risk advisor for Slovenia, I was trained to implement the ERM process in the Slovene
subsidiary. After the training, I introduced the ERM concept to the senior management team. I
assured that the senior management team regularly participated in risk identification and
assessment and that risk response plans were initiated. Furthermore, I was responsible for the
escalation of significant operational risks together with the progress on agreed management
actions to the Risk Director in the corporate office.
In the continuation of the thesis the ERM process in the Slovene subsidiary of the selected
company with the analysis and suggestions for improvements will be presented.
6.1 ERM process steps in selected company
The ERM process in the selected company has three standard steps:
Risk identification
Risk assessment (qualitative and quantitative)
Risk response
Figure 2: The ERM process steps in the selected company
Risk identification
Agree
objectives
Identify risks-
Brainstorming
Prompted risk
identifcation
Use historical
information
Agree risks
Assess
likelihoodRisk Assessment
Risk Response
Assess
Impacts
Agree
assessment
Use predefined
scoring criteria
Agree
response
plans
Ensure all data is recorded in the risk register and reviewed and escalated accordingly
Agree risk and
response
plan
ownership
Agree
response
plan target
dates
Plan next risk
review
Source: Internal sources of the selected company, 2010.
30
6.1.1 Risk identification
Selected company has defined a range of relevant risks for its business which should be
considered when subsidiaries are identifying risks. These risks are divided into five areas:
People Assets
Product And Market Assets
Infrastructure Assets
Information Assets
Finance Assets
The selected company defined its risk universe by identification of risk types which are the
most relevant for its business. Every subsidiary of the selected company should consider these
risks in the phase of risk identification. Risk types common for all subsidiaries are shown in
table 5.
Table 5: Risk universe of the selected company
RISK AREA RISK TYPE
PEOPLE ASSETS
Availability of talented people
Inappropriate employee behaviour
Safe and Healthy Workplace
Security
PRODUCT AND MARKET ASSETS
Consumer/marketplace trends
Malicious Product Attacks
Manufacturing Process/Quality
Trademark erosion
Relationship Management
Marketing and Promotions
New Product Commercialisation
INFRASTRUCTURE ASSETS
Business Disruption
Government Actions
Legal Liability issues
Security Environment
Supply Chain
INFORMATION ASSETS
Lack of information for decision making
Loss of Access to information
Unauthorised Access to information
FINANCE ASSETS
Currency/Interest rates
Financial Controls
Financial Misstatements
Forecasting/Budgeting
»continues«
31
RISK AREA RISK TYPE
Commodity Pricing
Counterparty Default
Inventory theft/fraud
Source: Internal sources of the selected company.
The risk advisor and the senior management team in the selected company monthly gather
and identify risks considering defined risk universe and subsidiaries’ objectives agreed by the
senior management team. Any event that would prevent subsidiary to fulfil its objectives is
treated as risk. Risks are mainly defined through brainstorming, interviews and by analysing
historical data. When risks are agreed on, they are registered in the Risk register.
Risk register
The risk register is designed to be a live management document to be reviewed and updated
on a regular basis and is the backbone of any risk management study. The purpose of the risk
register is to capture all of the risks that may impact on the delivery of the particular
undertaking in question, to capture their qualitative assessment and record the detailed
management information such as risk owners, response plans and management target dates.
The risk register also includes the risk model which is populated with the quantitative
information. The methodology that the risk register follows is recognised as common to all
best practice risk management processes, regardless of industry or task.
6.1.2 Risk assessment in the selected company
Once the risks have been identified and recorded in the risk register they are assessed by
canvassing opinion from those who have identified them.
6.1.2.1 Qualitative risk assessment in the selected company
The qualitative Risk assessment involves the determination of two key assessment factors:
The likelihood that an identified risk event will occur
The impact or consequences to the business if the risk event occurs
In the selected company the probability scale, common across the Group, is defined within the
current business planning period. Therefore the risks are assessed given their likelihood of
occurrence within the timeframe for delivering the current undertaking.
»continued«
32
Table 6: Qualitative probability assessment of identified risks in the selected company
Probability
of occurrence
Probability
assessment
Highly unlikely (1-10%) 1
Remote (10-25%) 2
Possible (25-50%) 3
Probable (50-85%) 4
Highly probable (>85%) 5
Source: Internal sources of the selected company, 2010.
The next part of the assessment is the agreement on risks’ potential impact. To do this only
two of the following impact categories should be chosen:
EBIT
Company reputation or perception
Health, Safety and Environment
Management effort
Quality
If the risk impacts more than two categories, the two highest impacting categories should be
chosen.
In table 7 the impact assessment criteria common for all subsidiaries of the selected company
are presented.
Table 7: Impact assessment of identified risks in the selected company
Risk impact area Impact description Impact assessment
EBIT
<3% of EBIT 1
Aprox 3% of EBIT 2
3-7% of EBIT 3
7-10% of EBIT 4
>10% of EBIT 5
Company
reputation
Insignificant damage to reputation
Unlikely to attract regional media attention
No brand impact expected
1
Minor damage to reputation
Unlikely to attract regional media attention
No brand impact expected
2
Moderate damage to reputation
Regional media attention lasting 1-2 weeks
Brand recovery expected in 1-2 weeks
3
»continues«
33
Risk impact area Impact description Impact assessment
Severe damage to reputation
Adverse national media coverage
Brand recovery expected in 2-8 weeks 4
Critical damage to reputation
Adverse multi-national media coverage
Brand recovery expected in 8-24 weeks
5
Health, Safety and
Environment
Internally reportable incident managed
locally
leading to < 3 days absence
1
Internally reportable incident managed
locally
leading to 3-5 days absence
2
Internally reportable incident managed
locally
leading to 5-10 days absence
3
Incident managed locally leading to major
injury/loss of limb or sight 4
Fatality 5
Management effort
No management involment required 1
Management input required to limit impact 2
Dedicated management effort required 3
Management
effort
External management report required for less
than 28 weeks 4
External management report required for
more than 28 weeks 5
Quality
Isolated single event in breach of quality
standards 1
Multiple complaints in breach of quality
standards 2
Multiple incident in breach of local
requlatory quality standards 3
Silent recall of product line 4
Public recal of product line
Closure of production facility 5
Source: Internal sources of the selected company.
In the table below risks which were identified by the management team of the Slovene
subsidiary of the selected company in March 2010 are presented. For each identified risk
likelihood and impact were assessed according to the above described assessment criteria.
»continued«
34
Table 8: Qualitative risk assessment of the Slovene subsidiary of the selected company
performed in March 2010
Impact (1 - 5)
ID Risk Description Consequence
Lik
elih
ood
(1 -
5)
EB
IT
Rep
uta
tion
/Per
cep
tion
H,S
& E
Man
agem
ent
Eff
ort
Qu
ali
ty
Pio
rity
1 Direct sales Distribution
disruption
Goods not delivered 4 4 0 0 3 0 28
2 GDP below forecast Lower consumption 3 5 0 0 3 0 24
3
Increased competition -
PLG
will increase activities in
AFB
Decreased market
share 4 3 0 0 3 0 24
4 Introduction of PET
deposit
Lower sales 4 3 0 0 3 0 24
5 Increased outstanding
debts
Loss 4 4 0 0 2 0 24
6 People retention SAP Business disruption 3 4 0 0 4 0 24
7 Product quality issues still
drinks-Nestea
Unsatisfied
consumers 3 0 0 0 3 4 21
8 Traffic risk of sales
personell
Absentisem, bad
company reputation 4 0 0 3 2 0 20
9 Knowledge transfer SAP Employees not trained
properly 4 1 0 0 4 0 20
10 Relationship with main
Key account (Mercator)
Decrease in sales 3 3 0 0 3 0 18
11 Waste Packaging
regulation change
Increase of packaging
fee 3 4 0 0 2 0 18
12
Slovenian Customers
buying
from foreign CCH
countries
Lower sales
3 3 0 0 3 0 18
13 External supply point
dependancy
Lost sales 2 2 0 0 3 0 10
14 Promotional mechanics Penalty or recall 3 1 0 0 2 0 9
15 Employee strike Work disruption 1 0 3 0 3 0 6
16
Changed labelling from
GDA
to traffic light system
Sales decrease
1 3 3 0 0 0 6
Source: Risk register of the selected company, March 2010.
Once the risks have been scored, they are automatically ranked as follows:
35
Probability score X (Impact A score + Impact B score) = Total impact
The primary reason for risk ranking is focusing the attention of management efforts on those
risks that exhibit the greatest potential to have a negative impact.
In the Slovene subsidiary of the selected company the top ranked risks were:
Direct Sales distribution disruption (one of the company’s major distributors to the direct
customers was having liquidity problems in the beginning of 2010, therefore there was a
high risk that company’s products will not be delivered on time).
Slovene gross domestic product will be below forecast (this risk was expected due to the
effects of the global economic crisis influencing lower consumption in 2010).
Increased competition by Pivovarna Laško group (PLG) which acquired the company’s
major competitor Fructal.
Plastic deposit (the government attempted to accept a regulative by which the fee for
plastic deposit would be included in the consumer price. That would increase the
consumer prices and could potentially decrease the company’s sales of beverages in
plastic packaging).
Increased outstanding debts (expected due to bad economic situation).
People retention due to implementation of enterprise resource system SAP (in the year
2010 the company was implementing the SAP system. Throughout the year 2010 SAP
trainings were held in Bolgaria. Since many people were employed temporarily and were
dedicated mainly to the SAP project, there was a high risk that these people would leave
the company before the SAP implementation.
The 10 highest ranked risks are automatically displayed on the Top 10 Heat map page which
is a part of the Business Register.
The heat map is graded in four colours, dark red, red, amber and green, from top right to
bottom left. The most significant area of the heat map is the top right hand corner, in dark red,
where the risks have the highest probability and the highest potential impact. The risks plotted
in dark red are deemed to be critical and are considered to be in need of the most urgent
attention.
Those in the red area are significant risks that will also need constant management effort to
manage them to acceptable levels whilst those in the amber area are worthy of regular review
and management updates.
The risks in the green area need to be monitored and assessed to ascertain if too much
resource is being expended on managing them to such a low level. Such an assessment is
always completed in a critical manner.
36
Figure 3: Top 10 risks heat map of the Slovene subsidiary of the selected company
5
4GDP below forecast Distribution Disruption
Impact 3
Product quality
issues
Relationship with
main Key account
(Mercator)
Increased competition from
PLG
Introduction of PET deposit
Increased outstanding debts
Traffic risk of sales
personell
2People retention SAP
Knowledge transfer SAP
1
1 2 3 4 5
Likelihood
RISK
Source: Risk Heat map of the Slovene subsidiary of the selected company.
All risks in the critical zone of the Top 10 Heat map need to be reported and accentuated to
the Group’s Risk director.
According to the risk assessment of the Slovene subsidiary in March 2010 no risks fell in the
critical zone.
6.1.3 Risk response
In the last step attention should shift to the risk response plans. There are three options for risk
response planning:
Reduce the likelihood of the risk occurring, or
Reduce the impact if the risk does occur, or
Reduce both the likelihood and the impact of the risk
For each identified risk a person responsible must be recorded in the Risk Register. This
person should assure that the risk response plans are delivered in time.
In table 9 risk response plans for the Slovene subsidiary of the selected company are listed.
37
Table 9: Risk response plans for the identified risks in the Slovene subsidiary of the selected
company in March 2010
ID Risk Description Risk Response Plans
Ris
k O
wn
er
Res
pon
se P
lan
to
be
Com
ple
ted
by
1
Direct sales Distribution disruption Identify alternative services
providers
Supply
Chain
manager
April
2010
2 GDP below forecast
Marketing mix adjustment
Commercial
manager ongoing
3
Increased competition -PLG will
increase activities in alcohol free
beverages Marketing mix adjustment
Commercial
manager ongoing
4
Introduction of PET deposit Negotiations with
government
Pubblic
Affairs
manager
June
2010
5
Increased outstanding debts Update of Accounts
Receivables policy, weekly
monitoring
Finance
manager
April
2010
6
People retention SAP following SAP recruitment
policy
Pubblic
Affairs
manager
April
2010
7
Product quality issues still drinks-
Nestea
Icreased visual incoming
goods inspections on
critical SKUs
Supply
Chain
manager
April
2010
8
Traffic risk of sales personell Training on safety driving Supply
Chain
manager
June
2010
9
Knowledge transfer SAP Close monitoring of SAP
implementation process
Pubblic
Affairs
manager
ongoing
10
Relationship with main Key
account (Mercator)
Extensive monitoring of
Mercators's performance
Improved relationship with
other Key Accounts
Commercial
manager
April
2010
11
Waste Packaging regulation
change
Negotiations with
government
Pubblic
Affairs
manager
ongoing
12 Slovenian Customers buying from
foreign subsidiaries
Review of commercial
policy Commercial
manager
June
2010
13
External supply point dependancy Prepare proper contingency
plans
Supply
Chain
manager
April
2010
»continues«
38
ID Risk Description Risk Response Plans
Ris
k O
wn
er
Res
pon
se P
lan
to
be
Com
ple
ted
by
14 Promotional mechanics Legal check of promotional
practice,
Use of legal services
Commercial
manager
April
2010
15 Employee strike Negotiations with union
HR
manager
April
2010
16 Changed labelling from GDA to
traffic light system not able to influence
Source: Risk register of the Slovene subsidiary of the selected company, March 2010.
6.2 Quantitative risk analysis in the selected company
The quantitative risk analysis attempts to assign numeric values to risks, either by using
empirical data or by quantifying qualitative assessments. Quantitative risk analysis can be
performed by using a Monte Carlo simulation.
In a Monte Carlo simulation, uncertain inputs in a model are represented using ranges of
possible values known as probability distributions. By using probability distributions,
variables can have different probabilities of different outcomes occurring. Probability
distributions are a much more realistic way of describing uncertainty in variables of a risk
analysis. Common probability distributions include:
Normal: the user simply defines the mean or the expected value and a standard deviation
to describe the variation about the mean. Values in the middle near the mean are most
likely to occur. It is symmetric and describes many natural phenomena such as people’s
heights. Examples of variables described by normal distributions include inflation rates
and energy prices.
Lognormal: values are positively skewed, not symmetrically like a normal distribution. It
is used to represent values that do not go below zero but have unlimited positive potential.
Examples of variables described by lognormal distributions include real estate property
values, stock prices, and oil reserves.
Uniform: all values have an equal chance of occurring, and the user simply defines the
minimum and maximum. Examples of variables that could be uniformly distributed
include manufacturing costs or future sales revenues for a new product.
»continued«
39
Triangular: the user defines the minimum, most likely, and maximum values. Values
around the most likely are more likely to occur. Variables that could be described by a
triangular distribution include past sales history per unit of time and inventory levels.
PERT: The user defines the minimum, most likely, and maximum values, just like the
triangular distribution. Values around the most likely are more likely to occur. However
values between the most likely and extremes are more likely to occur than the triangular;
that is, the extremes are not as emphasized. An example of the use of a PERT distribution
is to describe the duration of a task in a project management model.
Discrete: the user defines specific values that may occur and the likelihood of each. An
example might be the results of a lawsuit: 20% chance of positive verdict, 30% change of
negative verdict, 40% chance of settlement, and 10% chance of mistrial.
During a Monte Carlo simulation, values are sampled at random from the input probability
distributions. Each set of samples is called iteration, and the resulting outcome from that
sample is recorded. A Monte Carlo simulation does this hundreds or thousands of times, and
the result is a probability distribution of possible outcomes. In this way, a Monte Carlo
simulation provides a much more comprehensive view of what may happen. It tells you not
only what could happen, but how likely it is to happen (Palisade, 2010).
A Monte Carlo simulation provides a number of advantages over deterministic analysis:
Probabilistic Results: results show not only what could happen, but how likely each
outcome is.
Graphical Results: because of the data a Monte Carlo simulation generates, it is easy to
create graphs of different outcomes and their chances of occurrence. This is important for
communicating findings to other stakeholders.
Sensitivity Analysis. With just a few cases, deterministic analysis makes it difficult to see
which variables impact the outcome the most. In a Monte Carlo simulation, it is easy to
see which inputs had the biggest effect on bottom-line results.
Scenario Analysis. In deterministic models, it is very difficult to model different
combinations of values for different inputs to see the effects of truly different scenarios.
Using a Monte Carlo simulation, analysts can see exactly which inputs had which values
together when certain outcomes occurred. This is invaluable for pursuing further analysis.
Correlation of Inputs. In a Monte Carlo simulation, it is possible to model interdependent
relationships between input variables. It is important for the sake of accuracy to represent
how, in reality, when some factors go up, others go up or down accordingly.
The selected company has somewhat adapted quantitative risk analysis. It is simplified in a
way that for each identified risk cumulative likelihood and cumulative costs are estimated.
Also from the probability distributions only the following four distributions are available in
the risk register: normal, pert, uniform and discrete.
40
6.2.1 Risk simulation in selected company
The selected company uses @Risk software to perform risk analysis using a Monte Carlo
simulation. Running an analysis with @Risk software involves two steps:
Setting up Risk model
Running Risk simulation
The selected company sets a risk model by determining the following data:
Risk likelihood in percentage
Minimum, maximum and if possible most likely costs of risk
Probability distribution of risk
Table 10: Risk model of the Slovene subsidiary of the selected company according to the risk
review in March 2010
Risk Model
Risk Description ID Likelihood Min ML Max
Dis
trib
uti
on
Direct sales Distribution disruption 1 30% 50.000 € 100.000 € 110.000 € p
GDP below forecast 2 15% 250.000 € 300.000 € 450.000 € p
Increased competition
- PLG will increase activities in
AFB 3 10% 10.000 € 40.000 € 50.000 € p
Introduction of PET deposit 4 60% 10.000 € 80.000 € 100.000 € p
Increased outstanding debts 5 10% 70.000 € 80.000 € 150.000 € p
People retention SAP 6 10% 50.000 € 100.000 € 120.000 € p
Product quality issues still drinks-
Nestea 7 20% 10.000 € 15.000 € 17.000 € p
Traffic risk of sales personell 8 20% 5.000 € 8.000 € 9.000 € p
Knowledge transfer SAP 9 10% 10.000 € 20.000 € 32.000 € p
Relationship with main Key
account (Mercator) 10 10% 40.000 € 50.000 € 60.000 € p
Waste Packaging regulation change 11 40% 50.000 € 80.000 € 90.000 € p
Slovenian Customers buying from
foreign CCH countries 12 40% 40.000 € 50.000 € 60.000 € p
External supply point dependancy 13 15% 40.000 € 65.000 € 70.000 € p
Promotional mechanics 14 5% 10.000 € 20.000 € 22.000 € p
Employee strike 15 5% 10.000 € 50.000 € 60.000 € p
Changed labelling from GDA to
traffic light 16 10% 5.000 € 20.000 € 23.000 € p
Source: Risk model of the Slovene subsidiary of the selected company, 2010.
41
In the above model are presented identified risks in the Slovene subsidiary of the selected
company in March 2010. Risks are listed according to their priority which originates from
their qualitative assessment described in the previous chapter.
In the model risk likelihod is defined by senior management team. When defining risk
likelihod, senior management team should consider risk response plans which were identified
after qualitative risk assesment. Risk likelihod should be an estimation of risk occuring, after
response plans have been completed.
In the model follows estimation of minimum, maximum and most likely costs. This is
estimation of costs in the case that identified risk will occur.
One of the four probability distributions (pert, normal, uniform and discrete) should be chosen
for each identified risk. From the model we can see that in Slovene subsidiary only pert
distribution was used.
After risk model is fulfilled selected company uses @Risk software which recalculates risk
model thousands of times. Each time, @Risk samples random values from the risk functions
entered in the Risk model and records the resulting outcome. Risk software plots all of the
resulting outcomes on a graph called a cumulative probability curve or ‘S’ curve.
Figure 4: S Probability Curve for the Slovene subsidiary of the selected company according
to the risk review in March 2010
Risk Model Cumulative Probability Curve
52842
5.0%90.0%5.0%
0
0,2
0,4
0,6
0,8
1
-100 0
100
200
300
400
500
600
700
800
900
Values in Thousands
Source: Risk model output of the selected company, 2010.
42
The cumulative probability curve shows the likelihood of different outcomes occurring. From
the curve the percentiles can be recognized:
Table 11: The percentiles for cumulative impact of the identified risks for the Slovene
subsidiary of the selected company according to the risk review in March 2010
Percentiles (Millions Euros)
P05 0,862 €
P25 0,872 €
P75 1,150 €
P95 1,651 €
Source: Risk model output of the Slovene subsidiary of the selected company, 2010.
P95 informs us about the maximum cumulative impact of identified risks. In the above case
there is a 95% likelihood that identified risks will not have higher cumulative impact than
528.404 €. Similarly, P05 informs us that there is only a 5% likelihood that identified risks
will not have higher cumulative impact than 42.003 €.
Considering P05 and P95, we could say that there is a 90% likelihood that the cumulative
costs of identified risks will be between 42.003 € and 528.404 €.
6.2.2 Application of the risk simulation outputs
Besides the Cumulative Probability Curve, an important output of the risk simulation is a risk
sensitivity analysis which tells us which risks are the most influential according to the impact
they have on the cumulative risk
43
Figure 5: Risk Model Sensitivity analysis for the Slovene subsidiary of the selected company
according to the risk review in March 2010
Risk Model Sensitivity AnalysisRegression Coefficients
0.78
0.29
0.26
0.24
0.2
0.19
0.17
0.15
0.1
0.07
0.07
0.07
0.04
0.04
0.04
0.04
-0,1 0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
Risk ID 2 / $H$13
Risk ID 1 / $H$12
Risk ID 11 / $H$22
Risk ID 4 / $H$15
Risk ID 6 / $H$17
Risk ID 5 / $H$16
Risk ID 12 / $H$23
Risk ID 13 / $H$24
Risk ID 10 / $H$21
Risk ID 3 / $H$14
Risk ID 15 / $H$26
Risk ID 4 / $H$15
Risk ID 9 / $H$20
Risk ID 7 / $H$18
Risk ID 16 / $H$27
Risk ID 2 / $H$13
Coefficient Value
Source: Risk model output of the Slovene subsidiary of the selected company, 2010.
From the above figure we can see that the risk with identification number 2 (risk that gross
domestic product will be below forecast) with regression coefficient 0,78 was most influential
for the selected company in March 2010. It is followed with the risk of distribution disruption
with regression coefficient 0,29 and the risk of changed waste packaging regulation with
regression coefficient 0,26.
By knowing its most influential risks, the company can adapt risk response plans so that most
resources are provided for most influential risks. The adaptation of initial response plans to
most influential risks usually leads to decrease in the company’s overall risk exposure. Re-
running of the risk simulation enables assessment of the benefits due to adapted risk response
44
plans. Furthermore, it enables a comparison between overall risk reduction and additional
costs due to the adaptation of initial risk response plans.
7 ANALYSIS OF THE ERM IN THE SELECTED COMPANY
In the past risk reporting in the subsidiaries of the selected company was fragmented. Namely
risks originating in different areas of the organization were being reported separately to the
board. The most critical risks that the company faced were managed from different
departments which often had little communication and cooperation. This approach was
leaving senior management in subsidiaries unable to assess the subsidiaries’ risk environment
in a holistic manner.
To view risks in a holistic manner several organizational obstacles must be overcome. For an
enterprise risk initiative to succeed there must be a leader of the initiative. In the selected
company a project for improvement of the ERM process in the subsidiaries was initiated by
the corporate Risk Department in the last quarter of 2009. The main goal was to improve
involvement of senior management teams in subsidiaries in risk assessment. The subsidiaries
nominated risk advisors, who took the responsibility to engage senior management teams in
risk assessment.
I was responsible for the improvement of the ERM process in the Slovene subsidiary of the
selected company. On the first risk review held in March 2010 there were no obstacles with
the involvement of the senior management team in risk assessment. On the first ERM
workshop in March 2010 I introduced the main changes in risk management process,
particularly the need that senior management team views all sources of risk. What contributed
most to successful starting point of the ERM process was a clear ERM framework which
included:
Clear ERM glossary: risk advisors, trained by experts from corporate risk department, enabled
that risk definitions, such as risk, risk management, ERM, likelihood and risk assessment
were properly understood by everyone in the organization.
Revised Risk policy supporting the achievement of the principal group business objectives
and assurance that risk management is executed in a robust, professional and efficient manner
across the group.
Common assessment criteria
Risk register
Risk model
The predefined risk universe common for all subsidiaries of the selected company was very
useful for risk identification in Slovene subsidiary and enabled that the senior management
45
team did not mainly focus on the financial sources of risk, which was a common practise in
the past.
The predefined assessment criteria helped to assess risks faster and brought uniform rules in
risk assessment. However, the senior management team often experienced difficulties using
the predefined assessment criteria. In the qualitative risk assessment two of the following five
impact categories should be chosen: EBIT, Company reputation/perception, Health and
Safety, Management effort and Quality. In the case of certain risks it was difficult to agree on
which the two most influential impact categories were. The senior management team often
linked certain risks with more than two impact categories (for example distribution disruption
could influence EBIT, reputation, management effort and quality). It was also difficult to
achieve consensus on risk likelihood between different senior management team members.
Risk response plans in the Slovene subsidiary of the selected company are commendable. For
every risk senior management team quickly defined a risk response plan, person responsible
and a due date. I understood that managers were already aware of most of the identified risks
and the implementation of risk response strategies was already part of their regular activities.
The response plan for one of the major risks (distribution disruption) was efficiently carried
out. The company engaged a new distributor already in April 2010 and no consumers were
affected. The risk of distribution disruption was significantly reduced and this decreased the
cumulative risk exposure calculated in June 2010.
The P95 from the risk review in March was 584.000 € (distribution disruption had significant
impact) while the P95 from the risk review in June was 456.796 € when the risk of
distribution disruption was significantly reduced.
Table 12: Comparison of percentiles for the cumulative impact of identified risks for the
Slovene subsidiary of the selected company according to the risk reviews in March and June
2010.
March 2010 June 2010
P 05 42.003 € 0 €
P 25 116.452 € 59.076 €
P 50 184.225 € 116.426 €
P 75 278.097 € 199.356 €
P 95 528.404 € 456.796 €
Source: Risk model output of the Slovene subsidiary of the selected company in March and June 2010.
While the senior management team was mostly interested in risk response plans and took care
that proper risk reduction plans were timely implemented, the quantification of risks remains
an unattractive area for the majority of senior management team.
46
Furthermore, the Risk model, used for risk quantification in the selected company is
simplified in a way that it only requires the cumulative likelihood and costs of identified risks.
It is not possible to determine the probability of different possible outcomes in the model,
although the @Risk software, that the company is using, enables calculation of risk based on
the probability of different possible outcomes. Furthermore, different probability
distributions, which could be used in the model, are ignored, since Pert distribution is always
used.
The cooperation of the senior management team in risk assessment worsened if I compare the
first risk review with the following risk reviews. While in the first review the senior
management team identified 16 risks; in the following risk reviews they did not identify any
additional risks. In the first risk review the senior management team actively participated in
risk assessment, while in the following risk reviews they briefly adjusted their initial
assessments. In the table 13 comparisons between likelihood and most likely costs of
identified risks according to the risk assessment in March and June is shown.
Table 13: Comparisons between likelihood and most likely costs of the identified risks
according to the risk assessment in March and June 2010
March 2010 June 2010
ID Risk Description Likelihood Most likely
costs Likelihood
Most likely
costs
1
Direct sales
Distribution
disruption
30% 100.000 € 10% 30.000 €
2 GDP below forecast 15% 300.000 € 15% 300.000 €
3
Increased
competition -PLG
will increase
activities in AFB
10% 40.000 € 20% 40.000 €
4 Introduction of PET
deposit 60% 80.000 € 10% 80.000 €
5 Increased
outstanding debts 10% 80.000 € 20% 80.000 €
6 People retention
SAP 10% 100.000 € 10% 100.000 €
7
Product quality
issues still drinks-
Nestea
20% 15.000 € 20% 15.000 €
8 Traffic risk of sales
personell 20% 8.000 € 20% 8.000 €
9 Knowledge transfer
SAP 10% 20.000 € 10% 20.000 €
10 Relationship with
main Key account 10% 50.000 € 10%
50.000 €
»continues«
47
March 2010 June 2010
ID Risk Description Likelihood Most likely
costs Likelihood
Most likely
costs
(Mercator)
11 Waste Packaging
regulation change 40% 80.000 € 30% 80.000 €
12
Slovenian Customers
buying from foreign
CCH countries
40% 50.000 € 40% 50.000 €
13 External supply
point dependancy 15% 65.000 € 15% 65.000 €
14 Promotional
mechanics 5% 20.000 € 5% 20.000 €
15 Employee strike 5% 50.000 € - -
Source: Risk model of the selected company, 2010.
Similarly the senior management team could not directly connect the percentiles for
cumulative impact of identified risks calculated by the @Risk software with their key
performance indicator EBIT.
One reason might be that each subsidiary is monthly submitting the planned profit and loss
account for the current year which is monthly updated according to the market situation and
internal information from different functions within the subsidiary. The Profit and loss
account planned for the coming months already considers main risks by adapting planned
volumes, prices or costs. For example, the risk that gross domestic product will be below
forecast is already incorporated in lower sales volumes planned. Similarly, the increased
competition is already incorporated in lower sales volumes or lower sales prices planned.
Since most of identified risks are incorporated in profit and loss planning and by that in
planned EBIT, it was difficult to define the relationship between the Risk model output and
subsidiary’s EBIT.
7.1 Suggestions for the selected company
The participation of the senior management team in the ERM process is an area, which needs
the most improvements in the selected company. The main reason for the lack of motivation
is that the senior management team believes that dealing with most influential risks is already
a part of their regular activities. Therefore, they found ERM to be an additional and too
bureaucratic process, while dealing with risk and implementing risk mitigation activities is
already included in their daily activities.
»continued«
48
In the Slovene subsidiary of the selected company cumulative risk exposure, measured by P95
from Cumulative probability distribution, has decreased from March to June 2010, mainly due
to effective response plan on the subsidiary’s main risk of distribution disruption.
But since March 2010 onwards no additional risks were identified and at the same time the
likelihood of initially identified risks was mostly decreased, the credibility of the cumulative
probability distribution is questionable. On the one hand, it could be that the subsidiary’s
cumulative risk exposure has actually decreased due to effective response plans. But taking
into account that the senior management team was not motivated enough in risk identification
in their further risk reviews, important risks could be left out from the risk analysis.
One of the most important things of the ERM process is to identify the impact of identified
risks on the organization’s goals. In Slovene subsidiary of the selected company senior
management team found no direct linkage between the risk model output (Cumulative
probability distribution) and the subsidiary’s key performance indicator EBIT, which is also
one of the main reasons for the lack of their motivation. Since most of the risks were already
incorporated in the financial planning (particularly profit and loss account), they maintained
that risks were being considered twice.
I would recommend that the ERM process should be upgraded in a way that direct linkage
between the ERM model output and EBIT, which is the company’s main performance
indicator, is established.
The company has purchased risk software which enables a vast variety of simulations. By
standardizing the risk register, the company did not turn to the advantage of many additional
features that the software has. An important feature of the software is to perform risk analysis
according to defined probabilities for different possible outcomes for each identified risk.
This feature was disabled since the Risk model in the selected company only requires the
cumulative probability of each identified risk. Therefore, it would be advantageous to upgrade
the Risk model in a way that different possible outcomes for each identified risk would be
determined.
Although the ERM process in the selected company can be improved, the selected company is
highly aware of risk. This can be verified by efficiently implemented risk response strategies
and a continuous effort of the management team to reduce the likelihood of different risks
occurring. The fact is that risk management in the selected company is an important part of
managers’ activities ever since the company was established. To manage risks efficiently was
also rigorously required by the company’s main shareholder The Coca Cola Company which
also shared its risk management practises and tools.
I would recommend to the management team of the Slovene subsidiary of the selected
company to continue with the collective identification and assessment of risks. The most
49
improvements should be done in the area of risk assessment and analysis. The predefined risk
assessment criteria should be reviewed and adapted to subsidiaries’ needs. To improve the
involvement of the senior management teams in subsidiaries in risk assessment, the direct
linkage between the ERM model output (cumulative probability of identified risks) and EBIT
should be established.
CONCLUSION
Multinational companies are facing uncertainty while operating on different markets. This
uncertainty can lead to unanticipated variation or negative variation in business outcome
variables such as revenues, costs, profits or market shares.
Managing risks efficiently has become an important management’s activity. Companies that
understand their risks better than their competitors are in a very powerful position to leverage
risk to a competitive advantage. Greater knowledge of risks delivers the ability to deal with
risk that intimidates competitors, to project adversity better than competitors, and to manage
risk at the lowest costs.
In the master’s thesis I have introduced the concept of Enterprise Risk Management (ERM)
and analysed its performance in the Slovene subsidiary of the selected multinational
company.
ERM is a process which enables identification and assessment of various risks that might
adversely or positively impact the performance of the organization. Vast variety of risks
should be treated in a holistic manner and the correlation of the various risks should be
analysed. ERM requires involvement of whole management team in the process. It can be
conceptualized by defining the types of risk included and the various risk management
process steps.
ERM in the selected company consists of the following three standard steps: risk
identification, risk assessment (qualitative and quantitative) and risk response. These steps
were presented and analysed for Slovene subsidiary of the selected company in this master
thesis.
The selected company has defined main risk areas that are specific for its business and should
be considered in the risk identification phase. The predefined risk universe was very useful
for risk identification in Slovene subsidiary of the selected company and enabled the senior
management team to not mainly focus on the financial sources of risk.
The predefined assessment criteria were developed for qualitative risk assessment. These
criteria brought uniform rules in risk assessment. However, the senior management team often
50
experienced difficulties using them and it was difficult to achieve consensus on risk
assessment among different senior management team members.
The selected company uses @Risk software to perform risk analysis using a Monte Carlo
simulation. Running an analysis with @Risk software involves two steps:
Setting up Risk model
Running Risk simulation
The risk model is set by determining the following data:
Risk likelihood in percentage
Minimum, maximum and if possible most likely costs of risk
Probability distribution of risk
@Risk software recalculates risk model thousands of times. Each time, @Risk samples
random values from the risk functions entered in the Risk model and records the resulting
outcome. Risk software plots all of the resulting outcomes on a graph called a cumulative
probability curve or ‘S’ curve.
However, the senior management team could not directly connect the percentiles for
cumulative impact of identified risks calculated by the @Risk software with their key
performance indicator EBIT. This was the main reason for the lack of senior management
team’s motivation in further risk assessments.
In the Slovene subsidiary of the selected company risk response plans proved to be very
efficient in the first half of the year 2010. One of the major risks was distribution disruption
since one of the major distributors was facing serious liquidity problems. This risk was
efficiently managed and that decreased the subsidiary’s overall risk exposure measured by the
cumulative risk probability distribution. Furthermore, on all risks identified at the beginning
of 2010, risk response plans were agreed and actually executed.
The main goal of improvement of the ERM process in the subsidiaries of the selected
company was to involve the senior management teams in risk identification and assessment.
Efficient ERM process would increase awareness of the senior management teams of various
risks that could affect the performance of their subsidiaries.
Since the selected company was developing its risk management capabilities since its
establishment and risk mitigation planning was a part of management’s and employees’
regular work, the senior management team found the new approach in ERM more of a
documented process, while dealing with risk and implementing the risk mitigation activities is
already included in their daily activities.
51
To improve the involvement of the senior management teams in subsidiaries in the ERM
process, the direct linkage between the ERM model output (cumulative probability of
identified risks) and EBIT should be established.
52
LITERATURE AND SOURCES
1. Alviniussen, A. & Jankensgård, H. (2009). Enterprise Risk budgeting: Bringing Risk
Management into the Financial Planning process. Journal of Applied Finance, 19(2), 178-
192.
2. Bartram, M. S. (2000). Corporate Risk management as a Lever for Shareholder Value
creation. Financial Markets, Institutions and Instruments, 9(5), 279-324.
3. Beasley, Mark S. & Frigo, Mark L. (2007). Strategic risk management: creating and
protecting value. Strategic Finance, 88(11), 25-53.
4. Berk, A. Skok (2005). Enterprise Risk management practises in Slovenia and their impact
on performance. Ljubljana: Ekonomska fakulteta.
5. Boczko, A. (2005). Country risk. Financial management, February 2005, 25-26.
6. Brooks, I. & Weatherson, J. & Wilkinson, G. (2004). The International business
Environment. Harlow: Prentice Hall.
7. Casualty Actuarial Society. Overview of Enterprise Risk Management. Retrieved
February 10th, 2010 on http://www.casact.org/research/erm/overview.pdf
8. Clark, E. & Marois, B. (1996). Managing risk in international business: Techniques and
applications, (n.p): International Thomson Business Press.
9. Clarke, J. Christopher & Varma, S. (1999). Strategic Risk management: The new
competitive edge. Long Range Planning, 32(4), 414-424.
10. Committee of Sponsoring Organizations of the Treadway Commission. Enterprise risk
managemenIntegratedframework. Retrieved August 10th, 2010 on
http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf
11. Czinkota, R. Michael, Ronkainen, A. IIka, & Moffett, R. Michael. (2005). International
business. Mason: Thomson South-Western.
12. Davenport W. Edgar & Bradley L. Michelle. (2000). Enterprise Risk Management: A
ConsultativePerspective.CasualtyActuarialSociety Retrieved February 10th, 2010 on
http://www.casact.org/pubs/dpp/dpp00/00dpp23.pdf
13. Decisioncraft. Enterprise Risk management. Retrieved August 12th, 2010 on
http://www.decisioncraft.com/dmdirect/erm.htm
14. Dimakos, Xeni K. & Aas, K. (2004). Integrated Risk modelling. International Journal,
4(4), 265-277.
15. Fatemi, M. Ali & Luft, C. (2002). Corporate Risk management. Costs and benefits.
Global Finance Journal, 13(1), 29-38.
16. Gregorio, D. (2005). Re-thinking country risk: insights from entrepreneurship theory.
International business review, 14(2).
17. Harper, D. (2010). An introduction to Value at Risk. Retrieved September 14th, 2010 on
http://www.investopedia.com/articles/04/092904.asp#12844835927812&close
18. Hilmi, N. (2007). Foreign direct investment by Multinational companies and by Collective
investment firms. Retrieved September 5th, 2010 on
http://mibes.teilar.gr/conferences/2007/poster/Hilmi-Ketata-Safa.pdf
53
19. Hoyt, Robert E., Powell, Lawrence S. & Sommer, David W. (2007). Computing Value at
Risk: A Simulation Assignment to Illustrate the Value of Enterprise Risk Management.
Risk Management & Insurance Review, 10(2), 299-307.
20. Internal sources of the selected company
21. Jensen, M. & Meckling, W.H. (1976). Theory of the firm: Managerial behaviour, agency
costs, and ownership structure. Journal of Financial Economics, 3(4),305-360.
22. Jolly, A. (2003). Managing Business Risk. London: Kogan Page.
23. Jorion, P. (2007). Value at risk: the new benchmark for managing financial risk. New
York: The McGraw-Hill companies.
24. Kimbrough, R. L. & Componation, P. J. (2009). The relationship Between Organizational
Culture and Enterprise Risk management. Engineering Management Journal, 21(2), 18-
26.
25. Loghry, J. D. & Veach, C. B. (2009). Enterprise Risk assessments. Professional Safety,
54(2), 31-35.
26. Marshall, J. & Heffes, Ellen M. (2005). Most Firms Agree: ERM Is a Challenge.
Financial Executive, 21(8), 10-10.
27. Miller D. Kent & Bromiley, P. (1990). Strategic Risk and Corporate Performance: An
Analysis of Alternative Risk Measurers. Academy of Management Journal, 33(4), 756-
779.
28. Miller, D. Kent (1992). A framework for integrated risk management in international
business. Journal of International business studies, 23(2), 311-331.
29. Palisade portal. Retrieved August 16th, 2010 on http://www.palisade.com/risk
30. Perrott, E. Bruce (2007). A strategic risk approach to knowledge management. Business
Horizons, 50(6), 523-533.
31. PriceWaterhouseCoopers portal. Integrating political risk into Enterprise Risk
Management. Retrieved September 19th, 2010 on
http://www.pwc.com/en_GX/gx/political-risk-consulting-services/pdf/praermfinal.pdf
32. Rajendran, M., Madabhushi, R. (2010). Risk exposure of Multinational firms in India.
Global studies Journal, 2(1), 11-24.
33. Reeb, M. David & Kwok, C. & Bayek, Young H. (1998). Systematic risk of the
Multinational Corporation. Journal of International Business Studies, 29, 263–279.
34. Risk management solutions. Retrieved March 15th, 2010 on http://www.rms.com
35. Sanchez, H., Robert, B. & Pellerin, R. (2008). Project Portfolio Risk-Opportunity
Identification Framework. Project Management Journal, 39(3), 97-109.
36. Schanfield, A. & Helming, D. (2008). 12 Top ERM Implementation Challenges. Internal
Auditor, 65(6), 41-44.
37. Skočir, M. (2008). Teoretični motivi upravljanja s tveganji v podjetjih (diplomsko delo).
Ljubljana: Ekonomska fakulteta.
38. Smith, T. Joan & Roth, K. (1990). Cost Effectiveness of Risk Management Practices.
Journal of Risk and Insurance, 57(3), 455-477.
39. Stanovnik, S. (2004). Strateški vidik integralnega modela obvladovanja poslovnih tveganj
(diplomsko delo). Ljubljana: Ekonomska fakulteta.
54
40. Wall, D. M. (1997). Distributions and correlations in Monte Carlo simulation.
Construction Management & Economics, 15(3), 241-258.
41. Whorthington, J. William, Collins, D. Jamie & Hitt, A. Michael (2009). Beyond risk
mitigation: Enhancing corporate innovation with scenario planning. Business Horizons,
52(5), 441-450.
42. Xing, J. & Zhang, Allen X.(2006). Reclaiming Quasi--Monte Carlo Efficiency in Portfolio
Value-at-Risk Simulation through Fourier Transform. Management Science, 52(6), 925-
938.
APPENDIX
List of appendix
Appendix 1: Povzetek ..................................................................................................................... 1
Appendix 2: List of abbrevations .................................................................................................... 3
1
Appendix 1: Povzetek
Multinacionalna podjetja poslujejo na številnih trgih, ki imajo različne politične, finančne in
ekonomske sisteme. Heterogenost okolja, v katerem poslujejo, ima močan vpliv na njihovo
izpostavljenost tveganjem. Ta tveganja lahko vplivajo na prihodke, stroške, tržne deleže
multinacionalnih podjetij in s tem na njihov poslovni rezultat.
Upravljanje s tveganji je postala pomembna aktivnost managerjev. Poznavanje in upravljanje
s tveganji bolje od konkurentov, lahko postane pomembna konkurenčna prednost podjetij.
V magistrski nalogi sem predstavila koncept celovitega obvladovanja poslovnih tveganj.
Proces celovitega obvladovnja poslovnih tveganj sem analizirala v slovenski podružnici
izbranega mednarodnega podjetja, ki se ukvarja s proizvodnjo, distribucijo in prodajo
brezalkoholnih pijač.
Celovito upravljanje s tveganji je proces, ki omogoča identifikacijo in oceno različnih vrst
tveganj, ki lahko negativno ali pozitivno vplivajo na poslovanje podjetja. Različna tveganja, s
katerimi se srečuje podjetje, je potrebno obravnavati celovito in analizirati njihovo
medsebojno povezanost. Celovito obvladovanje s tveganji je lahko konceptualizirano z
določitvijo vrst tveganj, vključenih v proces, in korakov, ki so potrebni za njihovo
obvladovanje.
Proces celovitega obvladovanja poslovnih tveganj ima v izbranem podjetju tri temeljne
korake: identifikacija tveganj, kvalitativna in kvantitativna ocena tveganj in odziv na
tveganja. Ti koraki so bili predstavljeni in analizirani v slovenski podružnici izbranega
multinacionalnega podjetja.
Izbrano podjetje je določilo glavna področja tveganj, ki so značilna za njegovo poslovanje in
morajo biti upoštevana v fazi identifikacije tveganj v vseh podružnicah. Vnaprej določena
področja tveganj, so olajšala identifikacijo tveganj v slovenski podružnici izbranega podjetja
in pripomogla k temu, da se vodstvo podjetja ni osredotočilo zgolj na finančna tveganja.
Ravno tako je izbrano podjetje vnaprej določilo kriterije za kvalitativno ocenjevanje tveganj.
Ti kriteriji naj bi zagotovili enotna pravila pri ocenjevanju tveganj v različnih podružnicah.
Vendar je vodstvo slovenske podružnice izbranega podjetja z uporabo vnaprej določenih
kriterijev težko ocenjevalo identificirana tveganja, saj jim pogosto ni ustrezala nobena ocena,
ki so jo ponujali omenjeni kriteriji.
Analiza poslovnih tveganj v izbranem podjetju poteka tako, da se najprej pripravi model
poslovnih tveganj, kjer se za vsako identificirano tveganje določiti verjetnost njegovega
nastopa, minimalen, maksimalen ter najverjetnejši znesek stroškov v primeru nastopa
posameznega tveganja ter verjetnostno porazdelitev. Uporaba programske opreme @Risk
2
podjetju omogoča analizo poslovnih tveganj z Monte Carlo simulacijo. Vrednosti posameznih
poslovnih tveganj so naključno izbrane iz modela poslovnih tveganj. Programska oprema
@Risk jih več tisočkrat preračuna in rezultate prikaže v obliki kumulativne verjetnostne
porazdelitvene krivulje tveganj.
Vendar vodstvo slovenske podružnice izbranega podjetja ni videlo neposredne povezave med
rezultatom modela poslovnih tveganj in dobičkom, ki je glavni pokazatelj uspešnosti
slovenske podružnice izbranega podjetja. To je bil tudi glavni razlog, da se je motivacija
vodstva za kvalitativno in kvantitativno ocenjevanje poslovnih tveganj, močno znižala.
Odziv na identificirana tveganja je bil v slovenski podružnici izbranega podjetja zelo dober.
Enega izmed najpomembnejših tveganj je predstavljalo tveganje uničenja distribucijske
mreže, saj je imel najpomembnejši prevoznik, katerega storitve je podjetje koristilo že vrsto
let, hude likvidnostne težave. Izpostavljenost temu tveganju je podjetje uspešno znižalo, kar je
bistveno znižalo celovito izpostavljenost poslovnih tveganjem, merjeno z kumulativno
verjetnostno porazdelitvijo tveganj. Ravno tako se je vodstvo slovenske podružnice izbranega
podjetja odzvalo na vsa identificirana tveganja in pripravilo aktivnosti za zmanjševanje
identificiranih poslovnih tveganj.
Glavni cilj projekta za izboljšanje celovitega obvladovanja poslovnih tveganj v podružnicah
izbranega podjetja je bil vključiti vodstvo podružnic v identifikacijo in oceno poslovnih
tveganj. Glede na to, da je izbrano podjetje poudarjalo in razvijalo sposobnosti vodstva za
upravljanje s poslovnimi tveganji vse od njegove ustanovitve, je vodstvo slovenske
podružnice nov pristop k upravljanju poslovnih tveganj dojelo kot preveč dokumentiran
proces, medtem ko so bile aktivnosti za zmanševanje poslovnih tveganj že vključene v
njihove redne aktivnosti.
Enega izmed najpomembnejših ciljev procesa celovitega obvladovanja poslovnih tveganj
predstavlja določitev vpliva identificiranih tveganj na poslovni rezultat podjetja. Da bi v
prihodnje povečali vključenost vodstva v identifikacijo in oceno poslovnih tveganj, bi bilo
potrebno izpostaviti neposredno povezavo med rezultatom modela poslovnih tveganj in
dobičkom, ki je glavni pokazatelj uspešnosti slovenske podružnice.
3
Appendix 2: List of abbrevations
CAS Casualty Actuarial Society
COSO Committee of Sponsoring Organizations of the Treadway Commission
ERM Enterprise Risk Management
EBIT Earnings Before Interest and Taxes
H, S & E Health, Safety and Environment
ISO International Standardization Organization
MNC Multinational company
PLP Property Loss Prevention
R&D Research and Development
VAR Value at Risk